Add ort (#45)

eclipse-velocitas · Dec 13, 2022 · dad981e · dad981e
1 parent fcb564f
commit dad981e
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 32 deletions.
diff --git a/.ort.yml b/.ort.yml
@@ -16,48 +16,61 @@ curations:
   packages:
   - id: "PyPI::pytest-cov:4.0.0"
     curations:
-      comment: "Add correct license"
-      concluded_license: MIT
+      comment: "Proper license is defined in package repository https://pypi.org/project/pytest-cov/"
+      concluded_license: "MIT"
   - id: "PyPI::coverage:6.5.0"
     curations:
-      comment: "Add correct license"
-      concluded_license: Apache-2.0
-  - id: "PyPI::grpcio:1.49.1"
+      comment: "Proper license is defined in package repository https://pypi.org/project/coverage/"
+      concluded_license: "Apache-2.0"
+  - id: "PyPI::gitdb:4.0.10"
     curations:
-      comment: "Add correct license"
-      concluded_license: Apache-2.0
-  - id: "PyPI::identify:2.5.6"
+      comment: "Proper license is defined in package repository https://pypi.org/project/gitdb/"
+      concluded_license: "BSD-3-Clause"
+  - id: "PyPI::grpcio:1.48.2"
     curations:
-      comment: "Add correct license"
-      concluded_license: MIT
-  - id: "PyPI::setuptools:65.5.0"
+      comment: "Proper license is defined in package repository https://pypi.org/project/grpcio/"
+      concluded_license: "Apache-2.0"
+  - id: "PyPI::identify:2.5.9"
     curations:
-      comment: "Add correct license"
-      concluded_license: MIT
+      comment: "Proper license is defined in package repository https://pypi.org/project/identify/"
+      concluded_license: "MIT"
+  - id: "PyPI::setuptools:65.6.3"
+    curations:
+      comment: "Proper license is defined in package repository https://pypi.org/project/setuptools/"
+      concluded_license: "MIT"
+  - id : "PyPI::filelock:3.8.2"
+    curations:
+      comment: "Proper license is defined in package repository https://pypi.org/project/filelock/"
+      concluded_license: "Unlicense"
+  - id : "PIP::sdv-requirements:0.7.2"
+    curations:
+      comment: "Bosch maintained component"
+      concluded_license: "Apache-2.0"
+
 
 resolutions:
   vulnerabilities:
-  - id: "CVE-2018-20225"
-    reason: CANT_FIX_VULNERABILITY
-    comment: "Requires a change to be made by a third party that is not responsive."
-  - id: "CVE-2022-1941"
-    reason: CANT_FIX_VULNERABILITY
-    comment: "Requires a change to be made by a third party that is not responsive."
-  - id: "CVE-2022-3171"
-    reason: CANT_FIX_VULNERABILITY
-    comment: "Requires a change to be made by a third party that is not responsive."
   - id: "CVE-2022-42969"
-    reason: CANT_FIX_VULNERABILITY
-    comment: "Requires a change to be made by a third party that is not responsive."
+    reason: "INEFFECTIVE_VULNERABILITY"
+    comment: "Vulnerability only applicable for SVN projects. Requires a change to be made by a third party https://github.com/pytest-dev/py/issues/287"
   - id: "CVE-2018-20225"
-    reason: CANT_FIX_VULNERABILITY
-    comment: "Requires a change to be made by a third party that is not responsive."
+    reason: "MITIGATED_VULNERABILITY"
+    comment: "Mitigating control: avoiding use of the --extra-index-url parameter for pip"
   - id: "CVE-2019-20907"
-    reason: CANT_FIX_VULNERABILITY
-    comment: "Requires a change to be made by a third party that is not responsive."
+    reason: "INVALID_MATCH_VULNERABILITY"
+    comment: "Only applicable for python version <=3.8.3 or <3.9.0-b5 python 3.10 in use"
   - id: "CVE-2019-20916"
-    reason: CANT_FIX_VULNERABILITY
-    comment: "Requires a change to be made by a third party that is not responsive."
+    reason: "INVALID_MATCH_VULNERABILITY"
+    comment: "pip < 19.2 is affected pip in use 22.3.1"
   - id: "sonatype-2012-0071"
-    reason: CANT_FIX_VULNERABILITY
-    comment: "Requires a change to be made by a third party that is not responsive."
+    reason: "INVALID_MATCH_VULNERABILITY"
+    comment: "only relevan for python 2.7 python 3.10 in use"
+  - id: "sonatype-2022-6046"
+    reason: "INVALID_MATCH_VULNERABILITY"
+    comment: "affected wheel < 0.38.4 wheel = 0.38.4 in use"
+  - id: "	CVE-2022-33124"
+    reason: "CANT_FIX_VULNERABILITY"
+    comment: "aiohttp consider this vulnerability as false possitive. No prove that issue leads to DoS attack. Requires a change to be made by a third party"
+  - id: "CVE-2020-11023"
+    reason: "INEFFECTIVE_VULNERABILITY"
+    comment: "No evidences that pkg:pypi/deprecation@2.1.0 is affected. mainly jquery package is affected"
diff --git a/README.md b/README.md
@@ -2,6 +2,9 @@
 
 [![CI workflow](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/actions/workflows/ci.yaml/badge.svg)](https://github.com/eclipse-velocitas/vehicle-app-python-sdk/actions/workflows/ci.yaml)
 [![License: Apache](https://img.shields.io/badge/License-Apache-yellow.svg)](http://www.apache.org/licenses/LICENSE-2.0)
+[![security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit)
+[![Imports: isort](https://img.shields.io/badge/%20imports-isort-%231674b1?style=flat&labelColor=ef8336)](https://pycqa.github.io/isort/)
+[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
 
 The `Vehicle App SDK` reduces the effort required to implement Vehicle Apps by using the Velocitas development model for the Python programming language. To create a Vehicle App, please use our [Vehicle App Template](https://github.com/eclipse-velocitas/vehicle-app-python-template) which uses this sdk.